Error add an environment (Docker API | TLS | Skip Certification Verification) b/c of invalid certificate

[1thorsten]

Bug description I want to add a docker environment Type: Docker Standalone API TLS: true Skip Certification Verification: true

Despite the fact that I'm selecting (Skip Certification Validation) I get the following error: Failure: Invalid certificate file. Ensure that the file is uploaded correctly

Expected behavior The environment should be added successfully.

Portainer Logs 2022/11/08 15:53:20 server: Reverse tunnelling enabled 2022/11/08 15:53:20 server: Fingerprint 13:cb:e2:60:a6:7a:d1:9e:9b:4a:12:48:15:b3:49:3d 2022/11/08 15:53:20 server: Listening on 0.0.0.0:8000... 2022/11/08 03:53PM INF github.com/portainer/portainer/api/cmd/portainer/main.go:789 > starting Portainer | build_number=24674 go_version=1.18.3 image_tag=linux-amd64-2.16.0 nodejs_version=14.20.1 version=2.16.0 webpack_version=5.68.0 yarn_version=1.22.19 2022/11/08 03:53PM INF github.com/portainer/portainer/api/http/server.go:337 > starting HTTPS server | bind_address=:9443 2022/11/08 03:53PM INF github.com/portainer/portainer/api/http/server.go:322 > starting HTTP server | bind_address=:9000

Steps to reproduce the issue:

1. Go to 'Environments'
2. Click on 'Add Enviroment'
3. Click on 'Docker Standalone'
4. Click on 'Start Wizard'
5. Click on 'API'
6. Fill in Name and Docker API URL
7. Enable 'TLS'
8. Enable 'Skip Certification Verification'
9. Click on 'Connect'
10. See error

Technical details:

• Portainer version: 2.16.0
• Docker version (managed by Portainer): 20.10.2
• Kubernetes version (managed by Portainer): /
• Platform (windows/linux): linux
• Command used to start Portainer (docker run -p 9443:9443 portainer/portainer): docker run -d -p 9000:9000 -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data_2.16.0:/data --name portainer --restart always portainer/portainer-ce:2.16.0
• Browser: Chrome, Firefox
• Use Case (delete as appropriate): Using Portainer in a Commercial setup.
• Have you reviewed our technical documentation and knowledge base? Yes

Additional context The error exists since 2.13.0. Version 2.11.1 works fine

[1thorsten]

Any chance someone can take a look at this problem?

[re-vax]

@1thorsten , did you handle this issue ? I'd really like not to use ssh tunnel nor vpn workaround and use native TLS security to acces my remote socket.

[1thorsten]

@re-vax No, unfortunately not. The support here is rather sluggish. I use successfully the version 2.11.1. With it it goes excellent, I can also do without the new functions.

[1thorsten]

Hi @re-vax finally I found a workaround for adding hosts with TLS. On the Docker host you want to add to portainer, you need to expose the Docker socket via tcp (e.g. socat)

docker run --rm -v /var/run/docker.sock/:/var/run/docker.sock --network host alpine/socat -d -d tcp-listen:12375,fork,reuseaddr unix-connect:/var/run/docker.sock

Now you can add the host (environment) to portainer. After that edit the properties for this entry and change the port and switch to TLS. After that, terminate the non-TLS connection (socat).

That should does the trick...., but I'm still hoping for a proper solution.

br Thorsten

[re-vax]

Hey! Thanks for your workaround.

In my case, I used a sshtunnel to join my remote host with encryption. Still thinking about a cleaner solution too.

./vAx

[1thorsten]

At the moment I'm using socat in conjunction with traefik. This works very well. With traefik I have logging and it's possible to add an authentication layer for more sophisticated clients than portainer.

[1thorsten]

Any chance someone can take a look at this problem?

[peterbuga]

Hi @re-vax finally I found a workaround for adding hosts with TLS. On the Docker host you want to add to portainer, you need to expose the Docker socket via tcp (e.g. socat)

docker run --rm -v /var/run/docker.sock/:/var/run/docker.sock --network host alpine/socat -d -d tcp-listen:12375,fork,reuseaddr unix-connect:/var/run/docker.sock

Now you can add the host (environment) to portainer. After that edit the properties for this entry and change the port and switch to TLS. After that, terminate the non-TLS connection (socat).

That should does the trick...., but I'm still hoping for a proper solution.

br Thorsten

@1thorsten thanks for the tip! i was able to add connections TLS connections with self-signed certificate, although I'm not sure exactly what you meant by "After that edit the properties for this entry and change the port and switch to TLS" I cannot find any of these settings in webUI - i had to manually edit portainer.db and it's very tedious 😒

looking forward for a fix!

[cwchristerw]

I can confirm that it's not possible to add Docker API environment with TLS enabled without adding CA Cert, Cert and Private Key :smile: It should work with enabling TLS and CA Cert.

[pantovad]

Guys it is beyond shocking that you did not fix this bug that should be considered severe after more then a year. We are paying the license for this product and this issue is blocking our deployments.

[wkoot]

I can confirm that it's not possible to add Docker API environment with TLS enabled without adding CA Cert, Cert and Private Key 😄 It should work with enabling TLS and CA Cert.

However, it's not a problem to add it with a different crt and key than actually exposed by the docker api. The environment is added regardless of the cert it is exposing itself